Business Continuity & Disaster Recovery Policies

Document Version & Control

• Version: 1.0
• Last Review Date: 6 Jan 2025
• Next Review Date: [12 months from last review or upon significant changes]
• Approver: CTO, DPO

Purpose & Scope
These BC/DR Policies establish the framework, responsibilities, and procedures to ensure that our SaaS platform, systems, and data remain available, or can be restored within acceptable timeframes following disruptive incidents (e.g., natural disasters, cyberattacks, equipment failures). They apply to all critical business functions, applications, databases, and infrastructure components hosted on AWS (single-region deployment), Digital Ocean, and integrated third-party services.

Compliance & References

• Standards & Frameworks: ISO 22301 (Business Continuity), ISO 27001: A.17 (Information Security Aspects of Business Continuity), SOC 2 (Availability), NIST SP 800-34 (Contingency Planning)
• Regulations & Requirements: PDPA (Singapore), GDPR (if applicable), and contractual obligations with clients (SLA commitments)
• Related Internal Policies:
  • Information Security Policy
  • Data Management & Database Policies
  • Encryption & Key Management Policy
  • Incident Response & Breach Notification Policy
  • Change Management & Release Management Policies

Roles & Responsibilities

• BCP/DR Coordinator (If Assigned): Oversees the BC/DR program, ensures plans are current, and coordinates training and exercises.
• CTO: Ensures technical feasibility of DR plans, resource allocation for recovery solutions, and alignment with infrastructure capabilities.
• DPO: Ensures that security controls are maintained during DR operations and that recovered environments meet required security standards.
• DevOps & Infrastructure Team: Implements and maintains backup solutions, supports recovery procedures, and ensures infrastructure resiliency.
• Functional/Department Heads: Contribute to identifying critical processes, participate in the Business Impact Analysis (BIA), and support BC/DR exercises.
• Employees & Contractors: Follow BC/DR procedures, participate in drills if required, and report any issues affecting continuity.

---

Business Continuity Policy

1. Business Impact Analysis (BIA):
   • Conduct a BIA to identify critical business processes, their dependencies, and the potential impact of downtime.
   • Determine Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each critical service or data set as part of the BIA process.
2. Risk Assessment & Mitigation:
   • Identify risks that may disrupt operations (e.g., data center outages, supply chain interruptions).
   • Implement mitigating controls such as redundant systems, data replication, and load balancing where feasible, recognizing a single AWS region deployment.
3. BCP Documentation:
   • Maintain a documented Business Continuity Plan outlining steps to ensure continuous operation or rapid recovery of critical functions.
   • Include communication plans, emergency contact lists, escalation paths, and instructions for alternate working arrangements (e.g., remote work) if applicable.
4. Training & Awareness:
   • Provide periodic training for staff on the BCP, including their roles and responsibilities during disruptions.
   • Conduct annual tabletop exercises or scenario-based drills to validate and improve the BCP.
5. Maintenance & Review:
   • Review and update the BCP annually or after significant changes to business processes, infrastructure, or regulations.
   • Incorporate lessons learned from incidents, exercises, and audits.

---

Disaster Recovery Policy

1. Recovery Objectives:
   • Define RTO and RPO targets for critical systems and data based on BIA results.
   • Ensure these objectives align with business requirements, SLA commitments, and regulatory considerations.
2. Backup & Replication:
   • Perform daily backups of critical data and retain backups for 30 days.
   • Store backups securely and encrypted, in accordance with the Encryption & Key Management Policy.
   • Periodically verify backup integrity and test restoration procedures to ensure recoverability.
3. Alternate Sites & Failover Strategies:
   • Currently operating in a single AWS region. Evaluate the feasibility of a secondary region or provider for improved resilience as the business evolves.
   • Until then, rely on robust backup and restoration processes for recovery in case of region-wide outages.
4. DR Testing & Exercises:
   • Conduct annual DR tests (full or partial) to validate recovery procedures and team readiness.
   • Document test results, note any issues, and implement improvements.
5. Communication & Coordination:
   • During disruptions or DR activation, communicate internally via Teams alerts or designated channels.
   • Follow the Incident Response & Breach Notification Policy for notifying stakeholders if required.
   • While no specific SLA or regulatory requirements demand client notification, consider proactive communication if disruptions are prolonged.
6. Post-Disaster Review & Continuous Improvement:
   • After a disaster or DR test, perform a post-mortem review to identify areas for improvement.
   • Update DR plans, procedures, and infrastructure based on lessons learned.

---

Compliance & Audit

• Regulatory Compliance:
  • Comply with PDPA (Singapore) and GDPR (if applicable).
  • In the absence of explicit regulatory restoration timeframes, strive to meet defined RTO/RPO targets and maintain documentation for potential audits.
• Internal & External Audits:
  • Support audits evaluating BC/DR capabilities.
  • Address findings promptly and update plans as needed.
• Policy Exceptions:
  • Document and approve any exceptions through a formal risk acceptance process overseen by the CTO and DPO.

---

Policy Review & Maintenance

• Review Cycle:
  • Review these BC/DR Policies annually or after significant changes to technology, operations, or regulations.
  • Update policies and related plans to ensure their continued effectiveness and alignment with business needs.